Complying with the GDPR in the context of continuous integration
| dc.contributor.author | Li, Ze Shi | |
| dc.contributor.supervisor | Damian, Daniela | |
| dc.contributor.supervisor | Ernst, Neil | |
| dc.date.accessioned | 2020-04-08T22:31:30Z | |
| dc.date.available | 2020-04-08T22:31:30Z | |
| dc.date.copyright | 2020 | en_US |
| dc.date.issued | 2020-04-08 | |
| dc.degree.department | Department of Computer Science | en_US |
| dc.degree.level | Master of Science M.Sc. | en_US |
| dc.description.abstract | The full enforcement of the General Data Protection Regulation (GDPR) that began on May 25, 2018 forced any organization that collects and/or processes personal data from European Union citizens to comply with a series of stringent and comprehensive privacy regulations. Many software organizations struggled to comply with the entirety of the GDPR's regulations both leading up and even after the GDPR deadline. Previous studies on the subject of the GDPR have primarily focused on finding implications for users and organizations using surveys or interviews. However, there is a dearth of in-depth studies that investigate compliance practices and compliance challenges in software organizations. In particular, small and medium enterprises are often neglected in these previous studies, despite small and medium enterprises representing the majority of organizations in the EU. Furthermore, organizations that practice continuous integration have largely been ignored in studies on GDPR compliance. Using design science methodology, we conducted an in-depth study over the span of 20 months regarding GDPR compliance practices and challenges in collaboration with a small, startup organization. Our first step helped identify our collaborator's business problems. Subsequently, we iteratively developed two artifacts to address those business problems: a set of privacy requirements operationalized from GDPR principles, and an automated GDPR tool that tests these GDPR-derived privacy requirements. This design science approach resulted in five implications for research and for practice about ongoing challenges to compliance. For instance, our research reveals that GDPR regulations can be partially operationalized and tested through automated means, which is advantageous for achieving long term compliance. In contrast, more research is needed to create more efficient and effective means to disseminate and manage GDPR knowledge among software developers. | en_US |
| dc.description.scholarlevel | Graduate | en_US |
| dc.identifier.uri | http://hdl.handle.net/1828/11676 | |
| dc.language | English | eng |
| dc.language.iso | en | en_US |
| dc.rights | Available to the World Wide Web | en_US |
| dc.subject | Requirements Engineering | en_US |
| dc.subject | GDPR | en_US |
| dc.subject | Privacy | en_US |
| dc.subject | Empirical Study | en_US |
| dc.subject | Design Science Methodology | en_US |
| dc.subject | Privacy Compliance | en_US |
| dc.subject | Continuous Software Engineering | en_US |
| dc.subject | Continuous Integration | en_US |
| dc.title | Complying with the GDPR in the context of continuous integration | en_US |
| dc.type | Thesis | en_US |